Communications Provider Gains Exceptional Up-time and Security through Virtualization
Our customer, who is a leading expert in the telecommunications industry, approached NetworX IT with a unique challenge – how can they secure, scale, and backup their network as they engage in a rapid expansion of their business.
The priorities were keeping their customers’ data private, keeping up with data compliance and regulations, and securing their network from possible attacks and leakage.
When they decided to build the new office for their subsidiary – a new office with over 300 employees – they were seeking for the best possible solution for setting up and managing their office network.
Sagy Langer, the founder and CEO of NetworX IT, studied their needs and unique challenges and together with the NetworX team, they proposed an elegant, efficient and secure structure for their IT needs. The project turned from planning to fruition in record time and the network is managed and maintained flawlessly, allowing them to focus on their business instead of their technology.
To meet all of the requirements and allow for future growth an onsite virtualized environment hosting Windows servers was chosen.
Network: a UTM Firewall in high-availability with 2 TOR 10GbE switches, which connected to other deployed on-campus switches, was installed. These 2 switches carried all vLANs in a load balancing way where each switch has half of the vLANs active and the other half on standby. If one switch fails, the standby vLANs becomes active on the good switch. The switches were also configured with trunk ports utilizing 20Gbps links between them for high reliability and performance.
As most users were connecting over wireless, 2 wireless Access Controllers for high-availability were installed and allowed for 15 access points that covered the entire campus. Security was an essential aspect in the design, and so the network was divided into different segments. Each department had their own network segment and one network segment was used solely for all the network resources like servers and printers.
We installed an isolated management network that exists only on network resources such as servers and appliances. This network is not accessible from the LAN and is only used for administering the environment. It has very strict rules that limit protocols and traffic. Management tasks are limited to "management workstations", to which administrators have access to with an alternate set of credentials. This minimizes errors done by administrators while using their admin accounts on their day-to-day computers.
At the edge of the network, we installed a next-gen firewall by Fortinet. This firewall controls and secures all traffic between the LAN, the DMZ, and Internet. It is also tied to the backend servers, such as the Active Directory (AD) servers, to allow or block access to websites and applications. For example, members of the Marketing AD group could browse the company's social media sites whereas the rest of the employees could not. The Fortigate device also serves as a VPN concentrator, allowing remote users to VPN into the office. The permissions to login are set by users' membership in specific AD security groups and each user "lands" on their relevant vLAN after connecting.
An Active Directory was painstakingly designed, resulting in a lean and functional structure that allowed for targeted features deployment and security.
In regards to DNS, queries are not performed against public DNS servers on the Internet. Rather, the DCs that act as DNS servers, run all queries against 2 DNS servers that reside on the DMZ network and are not part of the domain. This allowed for us to minimize the exposure that internal servers have to the Internet. There was extensive use of CName records to better support changes in server names and to minimize downtime.
The DHCP server is responsible for assigning IP addresses to computers in the different vLAN segments. The resource vLAN does not have a DHCP server for security purposes.
For Certificate Authority (CA) we deployed an offline, standalone root CA and a subordinate CA. The root CA is turned off to minimize attacks that can lead to the CA being compromised. Each user and each computer on the domain receives a certificate.
File services: The requirement was to provide file storage locations for users, departments, and teams (users from different departments), as well as a location for all users. In addition, the customer wanted to have folder redirection which saves all the special folders such as Desktop, My Documents, and My Pictures on the server. Windows File Server Resource Manager was used to answer these requirements. The system was designed in a way that allows for an AD administrator to give or revoke users access to folders without touching the file system's NTFS permissions. In short, Admin AD groups were created and given permissions at the file system and share levels. These groups are created when a new share or folder are created and as a general rule, are not changed. Helpdesk personnel do not have access to modify these groups. Another set of AD groups were created that were made member of the first set of groups. Helpdesk allow access to folders by adding users to these groups in an easy and intuitive way.
The "Folder Enumeration" feature was turned on, when applicable, which prevents folders from being displayed to users that do not have permissions to access them.
Lastly, we implemented File Classification Infrastructure (FCI) with user and device claims. This allows an administrator to define classification properties and assign them to folders and files. Later, rules can be defined based on these properties to restrict or allow access to these files based on user attributes. Furthermore, the classification properties play a major role in the organization's Data Leak Prevention (DLP) efforts as Exchange and other system can act on them.